Sunday, August 30, 2015

José Selvi: "You open your sniffer and start to do unexpected things..."

José Selvi. The pentester.

It seems that José Selvi is very annoyed because he has not lived the 90's underground hacker period. It's useless try to explain him that a lot of hackers of his age, 34, neither did. It's an interesting place not visited by his curiosity, his desire of knowledge. We'd bet he would change all his certifications, he has a lot*, for assisting to one UnderCon. 

Anyway, we don't imagine this quiet man being a pirate on a IRC-Hispano chat. Selvi is a white wizard who entered hacking through studies. Without moving from Valencia, he's passed from the videogames screen to cybersecurity, from his IT engineering career to his current work as Senior Penetration Tester in the British company NCC Group.

You're known for your blog and lectures, given in almost all Spanish and foreign CONs. Why?

You know how this works, an unfinishing cycle of read, read, read, play, play, play. I spent a lot of time in this activities till one moment I thought I was learning a lot of things from people hanging information in an altruistic way, and maybe was the moment to continue "the cycle of life" being me the one who shared whatever I could have learnt. So I started with the blog. Afterwards, Christian Martorella and Vicente Díaz invited me to a lecture in the FIST of Barcelona and I discovered I liked it.

You are the only Spanish who's given a talk this summer in Defcon. What was it about?

It's a very simple concept. Our computers synchronize their clocks automatically with Internet, from time to time, using a protocol that has not been configured properly by a lot of manufacturers. My attack consists on intercept that traffic and manipulate it to change the computer date to 2008, or 2042, or the year I want. With this purpose I developed a tool called Delorean, as a reference to one of my favourite movies when I was a kid. Manipulating the date I achieve, for example, that the computer accept SSL certificates, expired in 2008 and not safe, also intercepting SSL traffic from the victim.

From where do you extract the ideas for such devil researchs?

There's no receipt, but it's necessary to know the most about the technology you're researching and, from there, it's an absolutely artistic process. You open your sniffer or debugger and start to do unexpected things to know if the software does anything funny. There's a lot of instinct and intuition, or at least, this is how I think about it.

When you have to add  creativeness, do you prefer to imagine that you're a bad russian blackhat or maybe Fu Manchu? :D

Hahahaha.  Fu Manchu Smirnoff Do Santos would be ideal. :'D Better of both. ;)

The pentesting is how the hacking is called to avoid frightening the customers?

More or less xDDD. We could say that is a part of the Hacking. This is much more open, it doesn`t have barriers. The Pentesting would be the "selling" part of the Hacking. During a lot of time we used "Ethic Hacking" as a synonymous of Pentesting, making the most of the marketing of the word "Hacker" but I never liked it, because it seems that only "Hacking" is not ethic. It's like a group of bank thieves use Karate and know, whoever practicing it, should say that's "Ethic Karate". It's odd. Don't you think so?

Which area of pentesting do you like more? 

The network part. I imagine it was like this because almost all the people of my circle in the beginning went to the Web part and I've never liked to go in the same direction as others. During the last years, I like the part of mobile operative systems, although I haven't studied it, like the OS part, so many time as I would like. Time to the time :)

When you have to explain to your aunt of Murcia what do you do, how do you explain her what is a pentester?

Sometimes I joke about testing pens and drawing snails in notebooks :P

We live in the script-kidding paradise, with Metasploit and similars. Are you annoyed because it seems that anybody can do your work or do you like it because it automates the boring tasks and allows you to go beyond?  

It's true that now there are a lot of awesome tools like Metasploit which makes things much more easy to do. I like them because they allow me to do things faster. There's people who can also do it without having the capabilities to develop the tool, but this people get stopped when the tool does not work or the exploit don't return them the shell in the moment.

There's a big discussion about who should use the hacking tools. What's your opinion?

It's true that the law, at least as I understand it, is a little bit generic, and it allows to go for someone if they want to, but I don't think that there's an attempt to attack the community, as some think. I've got no intention of changing the way I'm doing things till now, because I think I'm acting the right way, frontal, and if someone doesn't think so and denounces me...we'll explain the judge and wait for his opinion :)

But I don't think I'll reach that point, because what will happen is that people would not contribute, publish, warn the users in an unselfish way and they would return to share technics and tools in private, in confidence circles, and that would be bad for everybody, and I'm sure that is not what the
lawmakers want.

Selvi, in the university.
You look like a serious guy. What makes you smile?

My wife says that I'm flavorless xD I'm apparently serious, that's true, but I like jokes a lot. Who makes me smile the most is my wife.

By the way: How do you start in the world of IT security?

The first steps, very elemental, were at the university. Then I finished my career and started to work in Panda Security, in the office of Valencia. We were only 5 persons in my group but all of them had an exceptional level (one of them an ex-29A). That was my perdition and I finished completely inside this world.

*- GIAC Security Expert (GSE)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Security Essentials (GSEC)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)

Text: Mercè Molist 


Post a Comment